Requirement
Requirement lens
Remote working is not just VPN access. The control covers information accessed, processed, or stored outside the organization’s premises.
“Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.”
Plain-language meaning
When people work away from organization premises, the organization still has to protect information. That includes homes, hotels, coffee shops, customer sites, temporary offices, shared workspaces, and other remote locations.
Remote working should be authorized, risk-assessed, controlled, and monitored. The organization should know who is allowed to work remotely, from where, doing what, with which data, using which equipment, and under which controls.
Why this matters
Remote work changes the control environment. Homes do not usually have office-grade physical security. Public locations expose screens, calls, papers, and devices to strangers. Family members, visitors, shared networks, unmanaged devices, weak Wi-Fi, and lost equipment can all expose information.
Remote access also increases dependence on secure connections, endpoint protection, access control, asset inventory, and user behavior.
Implementation guidance
Implementer focus
Treat remote work as an authorized work pattern with defined conditions, not an informal convenience.
1. Define remote working policy and scope
The policy should define:
- who may work remotely;
- which roles and activities are allowed;
- which locations are acceptable;
- which information types may be accessed remotely;
- which devices and networks may be used;
- what physical controls are expected;
- what logical access controls apply;
- what non-work use is allowed or prohibited;
- who is responsible for each control.
Remote working should only be authorized when sufficient controls are in place.
2. Authorize users, activities, locations, and data
Maintain a record of remote working authorization.
| Authorization item | Why it matters |
|---|---|
| User or role | Shows who is allowed to work remotely |
| Activity type | Prevents high-risk work being performed in unsuitable locations |
| Location type | Distinguishes home, public, customer site, and temporary locations |
| Data allowed | Limits remote access to what the task requires |
| Required controls | Defines minimum security expectations |
| Verification method | Shows controls were checked before authorization |
The auditor will expect the organization to prove this, not just say “remote work is allowed.”
3. Secure remote equipment and connections
Controls may include:
- organization-managed devices;
- encryption of storage;
- screen lock and timeout;
- endpoint protection and patching;
- VPN or approved secure access method;
- multi-factor authentication;
- restriction of local data storage;
- secure configuration;
- logging and monitoring;
- remote wipe capability where appropriate;
- asset inventory entries for remote equipment.
Remote equipment should be included in the asset register where it is used to access, process, or store organization information.
4. Control physical and environmental risks
Remote workers should protect information from family members, visitors, the public, and unauthorized viewing.
Practical controls include:
- private workspace where possible;
- clear desk and secure storage;
- privacy screens where appropriate;
- secure printing restrictions;
- no unattended papers or devices;
- avoiding confidential calls in public places;
- preventing shoulder-surfing;
- secure disposal or return of printed material.
Public locations need stricter limits. Some work should not be performed in coffee shops, airports, or shared public areas.
5. Limit information available remotely
Remote access should be limited to information needed for authorized tasks. Avoid broad access because it is convenient.
This links to A.5.15 Access Control, A.5.18 Access Rights, and A.5.12 Classification of Information.
6. Define non-work use rules
Remote working equipment should have clear rules for personal use, games, personal browsing, personal accounts, family use, and installation of unapproved software.
The issue is not moral preference. Non-work use can introduce malware, account mixing, data leakage, and evidence ambiguity.
Audit guidance
Auditor focus
Test whether remote working is authorized and controlled in practice. A policy alone is weak evidence.
Auditors should verify that authorized remote workers, activities, locations, data access, equipment, and controls are recorded and reviewed.
Audit testing should include:
- remote working policy and procedures;
- remote working authorization register;
- risk assessment for remote working;
- equipment asset register entries;
- secure connection configuration;
- access control restrictions;
- endpoint security and encryption evidence;
- user awareness and training records;
- rules for non-work use;
- verification evidence that controls are in place;
- samples of users working from home, public locations, customer sites, and other remote environments where applicable.
The auditor should challenge vague statements such as “staff may work remotely if they use VPN” because remote working also creates physical, behavioral, device, data, and location risks.
Evidence examples
Evidence quality
Strong evidence shows authorization, risk assessment, technical controls, physical expectations, user awareness, and operating verification.
| Evidence | What it proves |
|---|---|
| Remote working policy | Rules and conditions are documented |
| Remote working authorization register | Users, locations, activities, and data access are approved |
| Remote working risk assessment | Risks and controls were considered |
| Asset register entries | Remote equipment is known and owned |
| VPN/secure access configuration | Connections are protected |
| MFA and access control records | Remote access is restricted |
| Endpoint encryption and patch evidence | Equipment is protected |
| Awareness records | Users know remote working expectations |
| Non-work use rules | Personal use risks are controlled |
| Review records | Remote work permissions and controls are maintained |
Strong evidence
- Authorized remote workers, activities, locations, and data access are recorded.
- Remote access is limited to required information and tasks.
- Equipment is managed, encrypted, patched, and included in the asset register.
- Secure connections and MFA are enforced.
- Physical controls for home and public work are defined and communicated.
- Non-work use rules are clear.
- Controls are verified before or during remote working authorization.
- Remote working risks are reviewed when roles, locations, data, or threats change.
Weak evidence
- VPN access exists but no remote working authorization process.
- No record of who is allowed to work remotely or with what data.
- Personal devices used without documented controls.
- Remote equipment missing from the asset register.
- Public-location work has no restrictions.
- No physical security expectations for home work.
- Broad access granted because remote access is technically possible.
- No rule on family/shared use or personal software.
Common failures
Implementation watchouts
Remote working fails when the organization controls the network connection but ignores the remote environment.
| Failure | Why it matters |
|---|---|
| VPN-only thinking | Physical, endpoint, data, and behavior risks remain |
| No authorization register | The organization cannot prove who may work remotely |
| Personal device ambiguity | Ownership, control, monitoring, and evidence become unclear |
| Remote equipment not inventoried | Lost or unmanaged devices are missed |
| No data limits | Sensitive information becomes available in unsuitable locations |
| No public-location rules | Screens, paper, and calls can be exposed |
| No control verification | The organization assumes controls exist |
Exam traps
Exam focus
Remote working is about protecting information outside organization premises. Do not reduce it to VPN.
| Trap | Correct interpretation |
|---|---|
| VPN satisfies remote working | VPN helps, but physical, device, access, data, and user controls are also needed |
| Home is automatically secure | Home spaces may be accessible to family members or visitors |
| Coffee-shop work is equivalent to home work | Public locations have higher shoulder-surfing, paper, call, and device risks |
| All remotely accessible information is acceptable | Remote access should be limited to what is needed |
| Remote devices are outside asset inventory | Remote equipment used for organization information should be tracked |
| Personal use is harmless | Non-work use can introduce malware, leakage, and control ambiguity |
Related controls and concepts
- A.6 People Controls MOC
- A.6.3 Information Security Awareness Education and Training
- A.6.5 Responsibilities After Termination or Change of Employment
- A.5.9 Inventory of Information and Other Associated Assets
- A.5.10 Acceptable Use of Information and Other Associated Assets
- A.5.12 Classification of Information
- A.5.14 Information Transfer
- A.5.15 Access Control
- A.5.18 Access Rights
- A.5.34 Privacy and Protection of PII
- Remote Working Authorization Register
- Remote Working Security Checklist
- Remote Working Risk Assessment
- A.6.7 Audit Evidence Pack
- A.6.7 Audit Checklist
KB-ready summary
- A.6.7 requires security measures for remote work to protect information outside organization premises.
- Remote work should be authorized by user, activity, location, data, equipment, and required controls.
- Controls should cover physical security, secure connections, endpoints, access, awareness, and non-work use.
- Remote equipment should be included in the asset register where relevant.
- Remote access should be limited to information required for the task.
- Audit evidence should show authorization, risk assessment, control verification, and ongoing review.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- People controls
- Remote working
- Audit
Note Metadata
Aliases: A.6.7, Remote Working
Source: 03 Annex A People Controls/A.6.7 Remote Working.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
10
links
Control
ISO 27001 A.6.7 - Remote WorkingRequirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.15 - Access Control
- ISO 27001 A.5.18 - Access Rights
- ISO 27001 A.5.34 - Privacy and Protection of PII
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- ISO 27001 A.6.3 - Information Security Awareness, Education and Training
- ISO 27001 A.6.5 - Responsibilities After Termination or Change of Employment
- A.6 People Controls MOC
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.8 - Equipment Siting and Protection
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.6.7 Audit Evidence Pack
- AQ-ISO27001-A.6.7 Remote Working
- ISO 27001 A.8.1 - User End Point Devices
- A.8 Technological Controls MOC
- A.6 People Controls Implementation Guide
- A.6 People Controls Audit Guide
- ISO27001-A.6.7 Remote Working
- A.6 People Controls Implementation Audit Risk Mapping
- EXAM-019 - Remote Working and Event Reporting
- ISO 27002 Annex A Control Interpretation Map
- A.6.7 Audit Checklist
- Endpoint Device Security Standard
- Off-Premises Asset Authorization Register
- Remote Access and Endpoint Connection Checklist
- Remote Equipment Register
- Remote Working Authorization Register
- Remote Working Risk Assessment
- Remote Working Security Checklist
- Web Filtering Coverage Review
- Annex A Controls MOC